Show More
| @@ -43,15 +43,23 b' sys_info = json.dumps(get_sys_info())' | |||||
| 43 | class AuthenticatedHandler(web.RequestHandler): |
|
43 | class AuthenticatedHandler(web.RequestHandler): | |
| 44 | """A RequestHandler with an authenticated user.""" |
|
44 | """A RequestHandler with an authenticated user.""" | |
| 45 |
|
45 | |||
|
|
46 | @property | |||
|
|
47 | def content_security_policy(self): | |||
|
|
48 | """The default Content-Security-Policy header | |||
|
|
49 | ||||
|
|
50 | Can be overridden by defining Content-Security-Policy in settings['headers'] | |||
|
|
51 | """ | |||
|
|
52 | return '; '.join([ | |||
|
|
53 | "frame-ancestors 'self'", | |||
|
|
54 | # Make sure the report-uri is relative to the base_url | |||
|
|
55 | "report-uri " + url_path_join(self.base_url, csp_report_uri), | |||
|
|
56 | ]) | |||
|
|
57 | ||||
| 46 | def set_default_headers(self): |
|
58 | def set_default_headers(self): | |
| 47 | headers = self.settings.get('headers', {}) |
|
59 | headers = self.settings.get('headers', {}) | |
| 48 |
|
60 | |||
| 49 | if "Content-Security-Policy" not in headers: |
|
61 | if "Content-Security-Policy" not in headers: | |
| 50 |
headers["Content-Security-Policy"] = |
|
62 | headers["Content-Security-Policy"] = self.content_security_policy | |
| 51 | "frame-ancestors 'self'; " |
|
|||
| 52 | # Make sure the report-uri is relative to the base_url |
|
|||
| 53 | "report-uri " + url_path_join(self.base_url, csp_report_uri) + ";" |
|
|||
| 54 | ) |
|
|||
| 55 |
|
63 | |||
| 56 | # Allow for overriding headers |
|
64 | # Allow for overriding headers | |
| 57 | for header_name,value in headers.items() : |
|
65 | for header_name,value in headers.items() : | |
| @@ -311,8 +319,16 b' class IPythonHandler(AuthenticatedHandler):' | |||||
| 311 |
|
319 | |||
| 312 | class APIHandler(IPythonHandler): |
|
320 | class APIHandler(IPythonHandler): | |
| 313 | """Base class for API handlers""" |
|
321 | """Base class for API handlers""" | |
|
|
322 | ||||
|
|
323 | @property | |||
|
|
324 | def content_security_policy(self): | |||
|
|
325 | csp = '; '.join([ | |||
|
|
326 | super(APIHandler, self).content_security_policy, | |||
|
|
327 | "default-src 'none'", | |||
|
|
328 | ]) | |||
|
|
329 | return csp | |||
|
|
330 | ||||
| 314 | def finish(self, *args, **kwargs): |
|
331 | def finish(self, *args, **kwargs): | |
| 315 | self.set_header('Content-Security-Policy', "default-src 'none'") |
|
|||
| 316 | self.set_header('Content-Type', 'application/json') |
|
332 | self.set_header('Content-Type', 'application/json') | |
| 317 | return super(APIHandler, self).finish(*args, **kwargs) |
|
333 | return super(APIHandler, self).finish(*args, **kwargs) | |
| 318 |
|
334 | |||
| @@ -68,6 +68,7 b' class KernelAPITest(NotebookTestBase):' | |||||
| 68 | self.assertEqual(r.headers['Content-Security-Policy'], ( |
|
68 | self.assertEqual(r.headers['Content-Security-Policy'], ( | |
| 69 | "frame-ancestors 'self'; " |
|
69 | "frame-ancestors 'self'; " | |
| 70 | "report-uri /api/security/csp-report;" |
|
70 | "report-uri /api/security/csp-report; " | |
|
|
71 | "default-src 'none'" | |||
| 71 | )) |
|
72 | )) | |
| 72 |
|
73 | |||
| 73 | def test_main_kernel_handler(self): |
|
74 | def test_main_kernel_handler(self): | |
| @@ -81,6 +82,7 b' class KernelAPITest(NotebookTestBase):' | |||||
| 81 | self.assertEqual(r.headers['Content-Security-Policy'], ( |
|
82 | self.assertEqual(r.headers['Content-Security-Policy'], ( | |
| 82 | "frame-ancestors 'self'; " |
|
83 | "frame-ancestors 'self'; " | |
| 83 | "report-uri /api/security/csp-report;" |
|
84 | "report-uri /api/security/csp-report; " | |
|
|
85 | "default-src 'none'" | |||
| 84 | )) |
|
86 | )) | |
| 85 |
|
87 | |||
| 86 | # GET request |
|
88 | # GET request | |
General Comments 0
You need to be logged in to leave comments.
Login now